---(OOooOO)--------Overview of common Exploits--------------------------(OOo-
---(OOooOO)--------by Bodie---------------------------------------------(OOo-
---(OOooOO)--------bodi3@usa.net----------------------------------------(OOo-
This file is a basic explanation of some of the methods of exploiting
systems, it is not a full list, there are many exploits and to list them all
would take a up my whole hard disk, but these are the most common.
1) PHF
Largh if you like but it's supprising to see how often this still works.
Although the number of systems vulnerable is very small now and getting
smaller by the day it still saves a lot of time over some of the other
exploits. This exploit is even useable by windoze script kiddies.
It works because of a bug in a commonly used CGI script called PHF, this
allows any remote user to see any file on the system and even execute
commands :) To use it open up a web browser (If you wanna be really 31337,
you can telnet to port 80, but why make life hard for yourself) go to :
http://www.vulnerable.com/cgi-bin/phf?Qalias=x%0a[command]
where [command] is the command you want to execute. A command you can
execute is:
http://www.vulnerable.com/cgi-bin/phf?Qalias=x%0acat%20/etc/passwd
This will execute the command:
cat /etc/passwd
the %20 is used because it is the ascii charictor for space and you can't
use a space in the script. This command will give you the password file and
then you can start using your faverite cracker to get the passwords :)
Other CGI Exploits
PHF is just one example of a CGI exploit. The CGI (Common Gateway
Interface) is a system that allows people to interact with web pages. They
are used in signup processes, games or almost anything on the web. PHF
is an example of a vulnerability in a CGI program but there are many others.
the best known of these is the test-cgi exploit. This allows you to veiw
the contents of any directory, although this doesn't automaticly allow you to
get root access on the system it will allow you to gather usernames of users
on the system. This will sometimes show up any default accounts on the
system
2)Buffer Overflow Exploits
There are too many of these to name each of them but they all work on the
same principal. Examples of these would include statd, qpop and many more.
Each program can store data in an area of memory called the stack. This
stores data from each routine that a program calls. in a program like this
(a little programming knowledge is needed)
#include stdio.h
void hello() {
printf("hello");
}
void main() {
hello()
printf("now f**k off")
}
This is a very simple program which calls a routine hello() to print "hello"
to the screen (I would've used "hello world" but i couldn't spell world :)),
when the procedure hello is called, any data from the main program is put
onto the stack. In this program there is no data that has to be stored, but
it still has to store the location in the program so when it finishes
running the procedure hello() it can knows where is got to in the program
and prints "now f**k off" next. To enable the program to do this a return
address of the next instruction is also stored on the stack.
Helpfully, the buffer is arranged like this:
_______
|return |
|address|
|_______|
| |
| Data |
|_______|
This means that the data is put on the stack in a nice convenient position,
right next to the return address. The data area is allocated as the total
space allocated to all the variables that have to be put on the stack, in
out little program earlier there was no need to store any variables as there
were none, but most programs will have variables that they need to store on
the stack. How do ya exploit this? Look here:
void ouch(char *ot) {
char hitme[10];
strcpy(hitme,ot);
}
void main() {
char hehe[100];
int hmm;
for(i = 0; i < 10; i++)
hehe[i] = 'A';
ouch(hehe)
}
Now, here's where it gets a bit more exciting. First the string, 'hehe' is
filled with a long list of 'A's, this makes sure that the string is full.
Then the function 'ouch' copies the string 'ot' into the string 'hitme', in
this function, 'ot' refers to the string 'hehe' in the main body of the
program. 'hitme' is 10 charictors long and so is allocated 10 bytes, but if
we copt 'hehe', which is 100 bytes long into 'hitme' we won't have enough
space. Unfortunately the function we use to copy these 2 strings, strcpy,
doesn't check the length of the strings before it copies them. This means
that the contents of the string 'hitme' is bigger than the space allocated
to it. This causes the string to overrun into other memory areas like this
______________
| |
| |
Space allocated |--------------|<------- Actual end of data area, due to
for return ---->| | large size of 'hitme'
address |______________|<--------End of space allocated to data area
| |
Space allocated | |
for data area ->| |
| |
|______________|
This means that some of the data area will be taken as the return address.
In our program, the return address will be filled bit a line of 'A's, this
won't be a real address in the computers memory so it will obviously bomb
out with an error.
This type of error can be caused deliberately on some commercial programs
and, more interestingly, unix security programs. This means we can
manipulate the return address of the program to go to anywhere in the
computers memory. The most common way of exploiting this is to place code
into the data area of the buffer and have the return address point back to
that point in the buffer, this means we can insert our own code into the
program. This opens up the system to all sorts of wonderful effects :)
This was not a total explanation of buffer overflows, for more information
get phrack issue 49-14
But if ya names so1o ya don't need to bother with this, just type:
exploit [vulnerable host]
but this is written for any real hacker who wants to know what goes on behing
the code. More to come, but this file just gives ya a general feel for the
exploits.
3) Wingates
Wingates have become very popular amongst hackers recently, they allow you to
bounce a connection from any site running one of these, a wingate is basicly
a proxy server that allows you to send all your connections through that
host. Unsupprisingly because of the obvious security holes (and maybe
because of the name :)) a wingate can only be run on a windoze server or even
just a home box can run a wingate. A wingate was initialy built for a small
windoze network to access the net over one line without all the hassle of
setting up all the network software. In other words, it's another microshaft
security hole, something we've seen a lot of in the last few years.
Basicly all ya have to do is find a computer with a wingate running and
connect to it, then you can safely hack away :)
4) Exports
Some nice servers actually let you view almost any file on their system by
allowing their whole system to be mounted onto any foreign host. This is
extreemly kewl because it means that, if you are logged on as root on your
system it will mean that you have root priviliges on the remote system. This
exploit also works in windows, that is why you should never allow any of your
directories to be shared when you are on the net unless you don't mind loseing
the data in the directories and it doesn't contain any confidential stuff or
(as wth an unnamed person) your entire dox, thats just stupid
--------------
More to come, this will give ya a general feel for the exploits but i'll
explain them in more detail in other files - just to keep ya coming back
greetz:
Hybrid: Genrally kewl geezer who nicks my modem :)
The old bloke who turns up in Mcdonalds at 2600 meets: One of the wierdest
people in the world (Just beat me to it)
Pro plus: keeping me awake during all those long hacking nights
The US military: Supplying all my shells
9x: supplying t-files so that everyone can copy them